Several people have registered their interest in getting a CryptoParty started in Cardiff, and we’re in the process of doing that. Hopefully the first meeting will be quite soon.
What is this CryptoParty thing? It’s a seed of a movement that began in Australia sometime within the last couple of weeks, after an exchange between a digital rights activist and a few security people. Now there are efforts to establish branches across most parts of the world.
Now I should point out that it’s not a hacking or coding event, but something aimed at the average person worried about their privacy, what personal data is being exposed, how that data could be used, and what tools are available to protect it. In some respects, it’s an infosec crash course. However, the opportunity to demystify cryptography while learning how to develop a better cryptosystem might present itself.

Something prompted the CryptoParty. It might have been the realisation that safeguards or ‘checks and balances’ don’t provide any real protection when it comes to digital rights. The last three years have taught us that loyalties change and goalposts are moved. There’s always potential for legislation that reverses whatever gains are made because the technology itself allows it, as the Cypherpunk Manifesto says. Certain groups have always known this, but they were much fewer in number compared to the campaigners. The CryptoParty, if it does turn into a real movement, is a huge step in the right direction.
It might have been two other things in the news last week: a data retention bill and a traffic filtering proposal for the UK.

The ‘Anti-Pornography’ Filter
ISPs might be demanded to block pornographic content by default, unless their customers have opted out. Unless it was somehow limited only to X-rated sites, pornography is subject to interpretation, as is any rating system that applies – it could include textbook illustrations, cartoons, keywords, etc. Imagine if the average school library filter was applied to the wider Internet.
But this isn’t the reason I’m concerned about this idea. I suspect the true motive is the regulation of what gets communicated over the Internet, and the capability to block other content at short notice.

As I pointed out before, people are more likely to use a VPN or proxy than put their names on a pornography list, and we could expect to see this countermeasure becoming standard. Tim Loughton, who was until recently a head of the UK Council for Child Internet Safety (UCCIS), was quoted in The Register as saying:‘There is a cottage industry of people, mostly operating outside the UK, continually creating and proliferating proxy websites that provide links to adult and harmful content.’
A comment that’s factually and demonstrably incorrect. Those of us who operate proxies aren’t running any ‘cottage industry’, and neither have I encountered any such service that provides links to ‘adult and harmful content’.

Communications Data Bill
The other factor is the Communications Data Bill, now commonly known as the ‘Snoopers Charter’. On the surface it looks pretty bad, but let’s see it for what it is, relative to the laws and surveillance powers that already exist.
Unlike New Labour’s Interception Modernisation Programme, this bill limits who can access the data to SOCA and the National Crime Agency, the three intelligence agencies, and Revenue and Customs. In some ways it limits the damage caused by the European Data Retention Act, which Tony Blair was said to be the main proponent of ten years ago. The real danger is of revisions being made in future to ‘streamline’ the process for accessing the data and extend it to other departments.
Unfortunately the taxpayer will foot the bill for this programme, at a cost of at least £1.8 billion. This dwarfs the c£670 million spent on actual Internet security.

A rumour going around is the plan includes deploying a widespread man-in-the-middle SSL interception system with fake SSL certificates. I’ve trawled through the 120+ pages of the bill and scanned for keywords, but couldn’t find anything specific on this. At any rate, no government would attempt something that dangerous unless things have seriously gone to shit. Secure transactions would no longer be possible over the Internet, and that would be the end of online banking and e-commerce to say the least, as it would break the very technology designed to prevent MITM attacks. It’s no exaggeration to predict that businesses would quickly find themselves bankrupted by criminals as flaws in the system become apparent. The losses would be enough to cripple the economy. The technical reasons can be found on the UWN Thesis blog.

Where Next?
The Communication Data Bill has its good and bad points, and it’s yet to become legislation. We don’t know what changes will be made by then. I believe the consultation period has just finished for the pornography blocking proposal, which I personally doubt will have much effect whether or not it becomes mandated.
While it’s not the end of the world, people are right to be concerned. Everyone has something to hide, and the need to sometimes discuss things in confidence, whether it’s through emailing their GP, seeking advice on a forum, or whatever. We have a duty to make sure that remains possible.

As I’ve said, any legislation could be amended and there’s always potential for abuse by future governments, say 20-50 years down the line. What might be perfectly legal now could be outlawed tomorrow. The Internet will adapt to this, eventually becoming entirely encrypted, but it’s going to take some work by the CryptoParty and similar organisations.

Here’s an ISP’s reply to the “snoopers charter” – that might help in your review.

LINX Statement

The draft Bill contemplates the collection of a large amount of personal communications data. Both the volume and range of data to be collected are unprecedented in the UK, and probably in the world.

In our analysis the “filtering arrangements” provided for in clauses 14‐16 are best understood as a “profiling engine” which creates detailed profiles on all users of electronic communications systems and makes those profiles available for sophisticated data mining.

In our opinion this profiling engine amounts to an enormously powerful tool for public authorities. Its mere existence significantly implicates privacy rights, and its extensive use would represent a dramatic shift in the balance between personal privacy and the capabilities of the State to investigate and analyse the citizen.

The draft Bill contemplates the collection of a large amount of personal communications data. Both the volume and range of data to be collected are unprecedented in the UK, and probably in the world.

In our analysis the “filtering arrangements” provided for in clauses 14‐16 are best understood as a “profiling engine” which creates detailed profiles on all users of electronic communications systems and makes those profiles available for sophisticated data mining.

In our opinion this profiling engine amounts to an enormously powerful tool for public authorities. Its mere existence significantly implicates privacy rights, and its extensive use would represent a dramatic shift in the balance between personal privacy and the capabilities of the State to investigate and analyse the citizen.

Categories

Profile

I am a network security enthusiast with a decade of UNIX/Linux sysadmin experience, but my career is currently in DevOps, where I create, manage, maintain and document large amounts of code for several large public sector projects. I still do the occasional bit of security consulting for businesses.
In 2014 I was awarded a Masters' degree in Computer Security (with distinction) at the University of South Wales, and also the Tiger Scheme Associate certification shortly after. In July 2015 I was awarded the ISTQB/BCS Certified Tester certification.